Firefox will block third-party cookies in a future version

Jonathan Mayer, a researcher at Stanford, has contributed a patch for Firefox that will block third-party cookies from installing on the user's browser. The patch is set to be incorporated into Firefox 22. (Update: while the "target milestone" for this patch is version 22, Mozilla reached out to us on Monday to say that it can't confirm the exact date or version in which the patch will be officially incorporated). For some sense of timing on the project, Firefox 19 was released on Tuesday.

With the patch, Firefox would allow all cookies from sites that a user actively visits, but it would block cookies from third-party sites if a user has not visited that cookie's origin site. Advertisers generally place third-party cookies and can collect data about a user across several websites with them. This is used to serve more targeted ads or refine where an advertising firm should spend its money.

Blocking third-party cookies would not be new or unheard of among browsers; Apple's Safari already rejects cookies from third parties. In a blog post on Friday, Mayer called the Firefox patch “a slightly relaxed version of the Safari policy.” Chrome allows all cookies, and Internet Explorer blocks some third-party cookies, although not all.

The balance between user privacy and money from advertisers has been difficult to strike. Last February, the US suggested companies agree to an “Internet Privacy Agreement” that would protect users who added themselves to a “Do Not Track” list. Despite the publication of that agreement, little real change has occurred in companies' practices. In May 2012, the UK enacted an almost pointlessly broad “cookie law,” which required users' consent to install cookies—although “consent” was later redefined as “implied consent” which meant if a user visited a site for the first time, and that site showed a notice that it was serving cookies to the user's browser, and the user took no action, that meant that the user had consented to that site's cookies.

Users can already manually disable cookies in Firefox, but in a future version it will be an automatically enabled feature.

Considering the fact that the internet currently runs largely on ads, I'm not sure how I feel about this. If it means ads become less effective because users can't be tracked accurately, advertisers will lose out and logically so will the "free" internet. Or worse, advertisers will just move to more aggressive forms of tracking, like Flash cookies.

I've been manually blocking all third-party cookies myself for some time now. Aside from a few isolated cases, mostly with commenting systems like Disqus that rely on these cookies, I've had little issue with it. Implementing an easy and non-arcane way to whitelist specific ones like that would be a nice feature.

This is going to have a strong, unintended side effect. What it will do is turn all tracking cookies into first-party cookies. Sites displaying advertising will simply proxy the pixel images from the ad networks through their own server.

If a patch has already been submitted and works, why wait until v.22? Couldn't they just add it in with v.20 in a few weeks?

For redundancy, and to maintain continuity. It goes Firefox Nightly, which is updated nightly, then there's Firebox Beta, and lastly the default Firefox build. If you want the latest updates when they come out, then just get Firefox Nightly.

I don't understand this, wasn't Mozilla admonishing Microsoft for shipping with the "DoNotTrack:" header on by default? This is effectively the same thing.

It's not. DoNotTrack is an emerging standard that will work only with the cooperation of advertisers. With that in mind, it has to be done in a way that is at least somewhat palatable to those advertisers or it will never be implemented at all -- it doesn't matter that the browser implements it, the advertiser has to implement it too or it literally will do nothing.

Third-party cookies, on the other hand, are controlled by the browser. It doesn't depend on the cooperation of the advertisers.

If a patch has already been submitted and works, why wait until v.22? Couldn't they just add it in with v.20 in a few weeks?

For redundancy, and to maintain continuity. It goes Firefox Nightly, which is updated nightly, then there's Firebox Beta, and lastly the default Firefox build. If you want the latest updates when they come out, then just get Firefox Nightly.

Ah, I suppose that makes sense to put it through the full update chain first. I just figured if it was small and feature-complete it'd be easier to just ship it out with the next big update. Guess this just goes to show I'm clearly not a software developer by trade.

I prefer to see ads that are relevant to my interests rather than just random noise. It means that occasionally I will see and click on an ad. This gets rid of that, so I'll start seeing ads that bear no relationship to me or my interests.

Yes, I could install and adblocker - but that means I'm not contributing any value to the sites I visit (and I know it costs money to run a website), and I will miss out on that occasional serendipitous ad.

Considering the fact that the internet currently runs largely on ads, I'm not sure how I feel about this. If it means ads become less effective because users can't be tracked accurately, advertisers will lose out and logically so will the "free" internet. Or worse, advertisers will just move to more aggressive forms of tracking, like Flash cookies.

There's absolutely no reason why an advertiser needs to track you across the entire internet to "effectively" deliver you Ads. Static ads that don't track you should be the norm, not the exception. There is not a single valid reason why they should track you via third party cookies like they do now.

For those complaining that this will prove detrimental to your personal experience, you will be able to re-enable tracking cookies.

I'm sure the affected websites will let you know, as well. They can (presumably) detect that the cookies are being blocked, and post a notice telling you what is wrong and how to fix it. Or they could just up and block Firefox entirely. Someone on r/Google or r/Chrome over on Reddit posted a site that they could not get into with Chrome (they tried a bunch of stuff) because the site owners just don't like Google.

toyotabedzrock brings out a good point. How does this affect iframes with cookies? A simple snippet of javascript in the head of a document can create an invisible iframe. If this does not block iframe cookies it is effectively pointless. All Google/Facebook/advertisers have to do is update their tracking scripts to create an iframe.

There's absolutely no reason why an advertiser needs to track you across the entire internet to "effectively" deliver you Ads. Static ads that don't track you should be the norm, not the exception. There is not a single valid reason why they should track you via third party cookies like they do now.

Can you provide your definition of "effective?" I don't think that word means the same thing to me as it does to you.

And what do you mean by "static" ads? An ad that is shown to all site visitors ... effectively a non-targeted ad? So that spot on the publisher's page is "static" like an ad in a print newspaper? How sustainable is that for the publisher? After all, _we_ are the product that they are offering to marketers. The alternative is to pay for each website you visit, which may be acceptable to you. But not everyone agrees with that sentiment. Some in that group have already posted comments here.

But back to the question, please define how "effective" must an ad delivery system be for a publisher to survive without going behind a pay wall ... which is, itself, not a guarantee of survival.

FYI, it turns out you can fix this without totally opening the floodgates by adding blogger.com (not blogspot) to the cookie exceptions. (The format in Chrome is trickier: "[*.]blogger.com") Similarly, commenting on Disqus with a Google login works again if you add google.com (or [*.]google.com in Chrome).

I've been manually blocking all third-party cookies myself for some time now. Aside from a few isolated cases, mostly with commenting systems like Disqus that rely on these cookies, I've had little issue with it. Implementing an easy and non-arcane way to whitelist specific ones like that would be a nice feature.

That's what I was thinking about, the option to block third party cookies is already possible, I guess it'll be a default setting in 22?

Edit: I just read the subtitle; "Cookies from sites you visit? Good. Everything else? Blocked by default." :-P

This doesn't make ads "less relevant" to you. Ads can still be targeted based on the page you're on *right now* vs. your browsing across the entire Internet.

I don't agree. A relevant ad for me will probably shown something about gadgets or programming even though I'm reading an article about flooding in the UK. Using the system you describe, what kind of ads can be shown on this article about FireFox? Or an article about a man in blue underwear shooting choppers with a laser? Then ask whether these ads will earn enough money for the pub to survive.

There's absolutely no reason why an advertiser needs to track you across the entire internet to "effectively" deliver you Ads. Static ads that don't track you should be the norm, not the exception. There is not a single valid reason why they should track you via third party cookies like they do now.

Can you provide your definition of "effective?" I don't think that word means the same thing to me as it does to you.

And what do you mean by "static" ads? An ad that is shown to all site visitors ... effectively a non-targeted ad? So that spot on the publisher's page is "static" like an ad in a print newspaper? How sustainable is that for the publisher? After all, _we_ are the product that they are offering to marketers. The alternative is to pay for each website you visit, which may be acceptable to you. But not everyone agrees with that sentiment. Some in that group have already posted comments here.

But back to the question, please define how "effective" must an ad delivery system be for a publisher to survive without going behind a pay wall ... which is, itself, not a guarantee of survival.

Static ads were good enough for advertising in newspapers and magazines. Scratch that, they still are good enough. Also TV, billboards, buses, store windows. (You can argue newspapers are dying, but not TV, not yet anyway.) In all of these cases there are production costs that are not present for internet advertising. I would certainly argue that static ads on the internet can be as effective as static ads in other forms of media. The ads can still be served based on the context, so it's not like it's completely random.

The grab for consumer information is not because it's necessary but because it's easy and nothing is stopping it. I certainly won't argue that it is not valuable for companies to keep a dossier on me and you and serve personalized ads, it is. But I don't think it should be assumed that they *need* that information or that they deserve it for sponsoring website X. After all, they never got it for sponsoring free TV.

I am, on the other hand, willing to provide some info to companies that are directly providing me with something of value. I even participated in the Nielson consumer panel for several years. But it was voluntary, they were honest and direct about what they wanted and why, they shared only anonymized data, and they offered something of value in return. None of that describes typical internet advertising.

I don't understand this, wasn't Mozilla admonishing Microsoft for shipping with the "DoNotTrack:" header on by default? This is effectively the same thing.

It's not. DoNotTrack is an emerging standard that will work only with the cooperation of advertisers. With that in mind, it has to be done in a way that is at least somewhat palatable to those advertisers or it will never be implemented at all -- it doesn't matter that the browser implements it, the advertiser has to implement it too or it literally will do nothing.

Third-party cookies, on the other hand, are controlled by the browser. It doesn't depend on the cooperation of the advertisers.

/whoosh

On the one hand, Mozilla chastises Microsoft for not cooperating with the ad networks, then turns around an does this uncooperative thing. Seems like a little selective hypocrisy to me.

I'm sorry it whooshed over your head.

You're trying to draw a parallel about principle, and you're defining the principle as being (I guess) "don't maintain user privacy by default." That's not the principle at work here though. The active principle is "don't compromise the privacy of the user." Microsoft by implementing DoNotTrack by default is not protecting the privacy of the user, they are sabotaging the DoNotTrack system so that it will fail and serve no purpose. We've already seen that actually happening: http://arstechnica.com/security/2012/09 ... -in-ie-10/

Microsoft is doing this as a colossally dishonest PR move. On the one hand they look like they are protecting privacy, consumers like that. On the other hand they stab DoNotTrack to death. Advertisers love that. It's win-win for them. But only because it is a lie.

Sorry, I have no sympathy for advertisers. Advertising is too insidious and ruthless to have any respect for it. Interesting that it is quite normal to paint the situation in an us-vs-them, good-guy/bad guy conflict scenario because this is exactly what it is.

There's absolutely no reason why an advertiser needs to track you across the entire internet to "effectively" deliver you Ads. Static ads that don't track you should be the norm, not the exception. There is not a single valid reason why they should track you via third party cookies like they do now.

Can you provide your definition of "effective?" I don't think that word means the same thing to me as it does to you.

And what do you mean by "static" ads? An ad that is shown to all site visitors ... effectively a non-targeted ad? So that spot on the publisher's page is "static" like an ad in a print newspaper? How sustainable is that for the publisher? After all, _we_ are the product that they are offering to marketers. The alternative is to pay for each website you visit, which may be acceptable to you. But not everyone agrees with that sentiment. Some in that group have already posted comments here.

But back to the question, please define how "effective" must an ad delivery system be for a publisher to survive without going behind a pay wall ... which is, itself, not a guarantee of survival.

You can purchase ads on sites that are likely to frequented by your target audience. It means a little more for the marketing department. Websites will attract a certain demographic that can be used to determine ad placement. This is similar to radio or cable advertising.